This policy establishes a minimum expectation, with respect to access controls, in
order to protect data stored on computer systems at Middle Tennessee State University
(MTSU or University).

II.General

A. MTSU will control user access to information assets based on requirements of individual
accountability, need to know, and least privilege.

B. Access to University information assets must be authorized and managed securely
in compliance with appropriate industry practice and with applicable legal and regulatory
requirements (i.e., Health Insurance Portability and Accountability Act, Family Educational
Rights and Privacy Act, Open Records Act of Tennessee, Gramm Leach Bliley Act, and
identity theft laws).

C. University information assets include data, hardware, software technologies, and
the infrastructure used to process, transmit, and store information.

1. Any computer, laptop, printer, or device that an authorized user connects to the
campus network is subject to this policy.

2. Guest/unauthenticated access may be provisioned commensurate with usage and risk.

3. Authorized users accessing University computing resources and network with their
own personal equipment are responsible for ensuring the security and integrity of
the systems they are using to establish access.

III.Access Controls

A. Access to information assets must be restricted to authorized users and must be
protected by appropriate physical, administrative, and logical authentication and
authorization controls.

B. Protection for information assets must be commensurate with the confidentiality
of the information.

C. Each computer system shall have an automated access control process that identifies
and authenticates users and then permits access based on defined requirements or permissions
for the user or user type.

D. All users of secure systems must be accurately identified; a positive identification
must be maintained throughout the login session; and actions must be linked to specific
users.

3. Users must provide their user ID at logon to a computer system, application, or
network.

B. Individual Accountability. Each and every user ID must be associated with an individual
person, who is responsible for its use.

C. Authentication:

1. Authentication is the means of ensuring the validity of the user identification.

2. All user access must be authenticated.

a. The minimum means of authentication is a personal secret password that the user
must provide with each system and/or application logon.

b. All passwords used to access information assets must conform to certain requirements
relating to password composition, length, expiration, and confidentiality. See Policy 925 Implementation of Secure Passwords for password requirements.

V.Access Privileges

A. Each user’s access privileges shall be authorized on a need-to-know basis as dictated
by the user’s specific and authorized role.

B. Authorized access will be based on least privilege.

1. This means that only the minimum privileges required to fulfill the user’s role
will be permitted.

2. Access privileges must be defined so as to maintain appropriate segregation of
duties to reduce the risk of misuse of information assets.

3. Any access that is granted to data must be authorized by the appropriate data
custodian.

C. Access privileges should be controlled based on the following criteria, as appropriate:

D. Privileged access (i.e., administrative accounts, root accounts) must be granted
based strictly on role requirements.

VI.Access Account Management

A. User ID accounts must be established, managed, and terminated to maintain the
necessary level of data protection.

B. The following requirements apply to network logons, as well as individual application
and system logons, and should be implemented where technically and procedurally feasible:

1. Account creation requests must specify access either explicitly or a role that
has been mapped to the required access.

2. Accounts must be locked out after five (5) consecutive invalid logon attempts
and remain locked out for a minimum of five (5) minutes, or until authorized personnel
unlock the account.

3. User interfaces into secure systems must be locked after no more than twenty (20)
minutes of system/session idle time.

4. Systems housing or using restricted information must be configured so that access
to the restricted information is denied unless specific access is granted.

5. Access must be revoked immediately upon notification that access is no longer
required or authorized.

a. Access privileges of terminated or transferred users must be revoked or changed
as soon as possible.

b. In cases where an employee is not leaving on good terms, the user ID must be disabled
simultaneously with departure.

6. User IDs will be disabled after a period of inactivity that is determined appropriate
by the current business process.

7. All third party access (contractors, business partners, consultants, vendors)
must be authorized and monitored.

8. Appropriate logging will be implemented commensurate with sensitivity/criticality
of the data and resources.

a. Logging of attempted access must include failed logons.

b. Logs should be monitored and regularly reviewed to identify security breaches
or unauthorized activity.

c. Logs should be maintained for at least ninety (90) days.

9. A periodic audit of secured systems to confirm that access privileges are appropriate
must be conducted. The audit will consist of reviewing and validating that user access
rights are still needed and are appropriate.

VII.Compliance and Enforcement

A. This policy applies to all users of information resources including students,
faculty, staff, temporary workers, vendors, and any other authorized users, who are
permitted access.

B. Persons in violation of this policy are subject to a range of sanctions, determined
and enforced by University management, including the loss of computer network access
privileges, disciplinary action, dismissal from the institution, and legal action.

C. Some violations may constitute criminal offenses, per Tennessee and other local
and federal laws. The University will carry out its responsibility to report such
violations to the appropriate authorities.

VIII.Exceptions

Documented exceptions to this policy may be granted by the Vice President for Information
Technology and Chief Information Officer.

Middle Tennessee State University, in its educational programs and activities involving students and employees, does not discriminate on the basis of race, color, religion, creed, ethnic or national origin, sex, sexual orientation, gender identity/expression, disability, age (as applicable), status as a covered veteran or genetic information. For more information see Middle Tennessee State University. | Nondiscrimination Policy